Full Report
ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake "prove you're human" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning.
Analysis Summary
# Tool/Technique: ClickFix (API-Driven Evolution)
## Overview
ClickFix is a social engineering technique that misleads users into manually executing malicious commands. It typically presents a fake CAPTCHA or "browser error" page that instructs the victim to copy a command to their clipboard and paste it into a system terminal (PowerShell or Windows Terminal) to "verify" they are human or fix the error. This bypasses many automated email and web filters because the initial infection vector relies on manual user action rather than an automated exploit.
## Technical Details
- **Type:** Technique / Malware Delivery Framework
- **Platform:** Windows, macOS
- **Capabilities:** Social engineering, clipboard manipulation, AMSI bypass, API-driven payload obfuscation, cross-platform targeting (25+ languages).
- **First Seen:** Early 2024 (Significant surge documented in 2025/2026).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1204.004 - User Execution: Malicious Custom Command**
- **TA0002 - Execution**
- **T1059.001 - Command and Scripting Interpreter: PowerShell**
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information**
- **T1134 - Access Token Manipulation** (API-driven access control)
- **T1564.003 - Hide Artifacts: Hidden Window** (conhost --headless)
- **TA0007 - Discovery**
- **T1082 - System Information Discovery** (OS-specific payloads)
## Functionality
### Core Capabilities
- **Social Engineering Lures:** Displays fake Google reCAPTCHA or system error dialogues.
- **Clipboard Hijacking:** Hidden JavaScript automatically copies a malicious string to the user’s clipboard upon interaction.
- **API-Driven Back Office:** Payloads are served via an API that validates access tokens and logs victim data before delivering a command.
- **OS Awareness:** The system detects the visitor's OS and serves localized lures and platform-specific commands (PowerShell for Windows, Terminal for Mac).
### Advanced Features
- **Dynamic Obfuscation:** The backend server generates unique payloads for every request using a rotating combination of Base64, AES, TripleDES, Rijndael, and Deflate.
- **Downloads-Folder Method:** To evade AMSI, the site drops a `tmp.zip` file in the Downloads folder. The clipboard command only contains a short "orchestrator" line to move and unzip the file, keeping the malicious logic out of the initial scanned command.
- **Terminal Integration:** Modern variants direct users to `Windows+X` (Windows Terminal) instead of `Windows+R` (Run box) to avoid leaving traces in the `RunMRU` registry key and appear more "legitimate" to technical users.
## Indicators of Compromise
- **File Names:** `tmp.zip`, `tmp.ps1`, `7947.zip`
- **Network Indicators:** API servers delivering payloads (often behind access tokens).
- **Behavioral Indicators:**
- `powershell.exe` or `pwsh.exe` launched from `conhost.exe` with `--headless` flags.
- Unexpected use of `tar.exe` to decompress files in the `$env:TMP` directory.
- Manual execution of PowerShell scripts with `-ExecutionPolicy Bypass` from a terminal window.
## Associated Threat Actors
- **APT28** (Russia)
- **MuddyWater** (Iran)
- **Kimsuky** (North Korea)
- **ClickFake Interview** campaigns (Targeting crypto-sector workers)
## Detection Methods
- **Behavioral Detection:** Monitor for PowerShell processes characterized by "orchestrator" patterns (e.g., moving files from `\Downloads\` to `\Temp\` followed by extraction and execution).
- **Clipboard Monitoring:** Security tools (EDRs) can flag when a web browser places suspicious system commands (e.g., `powershell -C ...`) into the system clipboard.
- **Command Line Logging:** Enable PowerShell Script Block Logging (Event ID 4104) to capture the de-obfuscated code executed in memory.
## Mitigation Strategies
- **User Awareness:** Educate employees that legitimate websites and CAPTCHAs will *never* ask a user to copy/paste commands into a terminal.
- **Attack Surface Reduction:** Use Windows Defender Application Control (WDAC) or AppLocker to restrict PowerShell execution to signed scripts or specific users.
- **Terminal Hardening:** Set PowerShell to "Constrained Language Mode" where possible to limit the effectiveness of malicious scripts.
## Related Tools/Techniques
- **ClearFake:** A progenitor technique using fake browser update prompts.
- **EtherHiding:** Using blockchain-hosted code to deliver similar lures.
- **Amadey / Lumma Stealer:** Common final-stage malware payloads delivered via ClickFix.